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Dedicated to the memory of Prof. John Lewis Selfridge 

Abstract. We prove that an odd number n is an Euler pseudoprime for 
exactly one half of the admissible bases if and only if n is a special Carmichael 

Tl-l 

number, that is, a 2 = Imodn for every invertible 



1. Introduction 

Given a large odd number n without small factors, one can try to decide whether 
n is prime by randomly taking some a coprime with n and computing a"~^ modn. 
If this value is not 1, then n is certainly not prime, by Fermat's little theorem. 
Otherwise we can only say that n is probably prime. Actually either n is prime or 
n is pseudoprime for the base a; the latter is equivalent to saying that a is a liar to 
Fermat's primality test. 

Even if Fermat's primality test is often correct, unfortunately it cannot be trust- 
ingly used as a Monte-Carlo primality test because there exist odd composite num- 
bers that are pseudoprimes for all of the bases coprime with n. These numbers 
are called Carmichael numbers: they are much rarer than primes but they are still 
infinite, as proved by Alford, Granville and Pomerance in [1]. 

Instead of considering Fermat's little theorem one could use Euler's criterion: 

p— 1 

namely Euler proved that if p is an odd prime, then a~2~ = modp for every a, 
where (^) is the Legendre-Jacobi symbol. Thus the primality of a large odd number 

n can be tested by checking = (^) modn for some a coprime with n. If this 

relation is not satisfied then n is certainly not prime; otherwise n is probably prime 
and, as before, we have that either n is prime or n is an Euler pseudoprime for the 
base a; the latter is equivalent to saying that a is a liar to the Solovay-Strassen 
primality test. 

In order to confidently use this primality test in a Monte-Carlo method, it was 
very important to establish for how many bases an odd composite number can be an 
Euler pseudoprime. It has been reported to the author by Pomerance that Selfridge 
was probably the first one to realize that for every odd composite number n there 
is at least one x for which n is not an Euler pseudoprime for the base x, but he did 
not publish his discovery (see [21 §5], where Selfridge is credited). Anyway, a few 
years after Selfridge's discovery, both Lehmer (see [S]) and Solovay-Strassen (see 
[5]), independently, proved the same result. In particular, Solovay and Strassen also 
noticed that the subset of bases in J7(Z„) := {a £ Z„ | gcd(a, n) = 1} for which 
n is an Euler pseudoprime is actually a subgroup. As an easy consequence of this 
fact, they showed that no odd composite number can be an Euler pseudoprime for 
more than half of the admissible bases (that is, elements of the group ?7(Z„)): 

(1) |a e [/(Z„) I a'T^ = (^^) mod n| <0(n)/2. 
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This remark paved the way for an efhcient probabihstic primahty test, named 
Solovay-Strassen after the two authors. 

During the subsequent years many papers about pseudoprimes, Euler pseudo- 
primes, strong pseudoprimes appeared: for example, an article by Pomerance, Self- 
ridge and Wagstaff ([7]), where many properties are stated and many examples are 
given and an article by Monier (^), where a formula to count the number of liars 
is given. 

The purpose of this note is just to understand in which cases the bound in ([1]) 
is actually achieved. 

We will prove the following in an equivalent form as Proposition 13.41 

Proposition 1.1. Let n be an odd composite number. Then n is an Euler pseudo- 
prime for exactly one half of the bases in t/(Z„) if and only if a~2~ ~ 1 modrt for 
every a £ U (Z„). 

Acknowldegments. The author wishes to warmly thank Prof. C. Pomerance for 
his kindness and for many helpful discussions. 

2. Preliminary lemmas 

Lemma 2.1. Let n > 2 be an odd number. Then, for any a G Z, a"~^ ^ —1 modn. 

Proof. Let n — p"^ • • •p"'', Pi distinct prime numbers. Without loss of generality we 
can suppose that gcd(a, n) = 1 and that v V2 {pi — 1) < V2{pi — 1) for all 1 < i < r 
(f2 being the dyadic valuation). By contradiction, suppose a"^^ = — Imod?!. 
Then, in particular, a"~^ = — lmodp"\ Let g be a generator for and let 

h be such that g'^ = amodp"\ Then = — lmodp"\ that is, 

but (j>ip'^')>(hin~l). 

Hence there exists k gZ, k odd, such that (j){pi^)k = 2h{n — 1), that is, Pi^~^{pi — 
l)k = 2h{n — 1). It follows that v = V2{pi — 1) > V2{n — 1); however this is not 
possible since Pi = I mod 2'" for every 1 < i < r and thus n — 1 = mod 2'" . □ 

Lemma 2.2. Let n be an odd composite number and let -B {a G J7(Z„) | = 
±lmodn}. Lf \B\ > (f>(n)/2, then n is a Carmichael number. 

Proof. If |-B| 4>in) the statement is trivial, therefore from now on we can suppose 
that \B\ — (j){n)/2. Let B' := {a £ C/(Z„) | = +lmodri}. It is easily seen 

that two cases can occur: either B' = B, that is, B' has index 2 in [/(Z„), or 
C := B \ B' 7^ is a coset of B' in [/(Z„), that is, B' has index 4. In the first 

71 -1 

case, for any h ^ B' we have h'^ e B' , that is, — ^ = Imodn. In 

the second case we can conclude by observing that again U{Zn)/B' has elements 
of order at most 2. Indeed C has order two in U{Zn)/B', therefore ii h ^ B, 
then must be in B' or in C, but the latter is not possible because otherwise 
h"^'^ = 2 = — Imodn. contradicting Lemma l2.1l □ 

Remark 2.3. Notice that in the proof of Lemma [2.21 the second case (C 7^ 0, B' 
has index 4) does not actually occur. In fact, since we have proved that n is 
a Carmichael number, we now know that n = pi---pr with r > S, pi distinct 
primes (see, for example, [4| Proposition V.1.2, Proposition V.1.3]). For every 
1 < I < r, let gi be a generator of [/(Zp. ). Since C 7^ 0, there exists b S U{Z„) 
such that 6~2— ^ — Imodn, that is, b^~ ^ Imodpi for every i. In particular 
(7j ^ ^1 mod Pi for every i. For every 1 < i < r, let Xi be the solution mod n of the 
system X = giUiodpi, X = Imodn/pi. Notice that for every i, x^^ ^ ±lmodn 
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and that for any i ^ x^^ ^ x^ ^ modrt. Therefore, since r > 3, B' must have 
index > 5. 

Lemma 2.4. Let n > 2 be an odd number. Let 

Pn ■■= {a e C/(Z„) I (^) = l} , 

N,,:={aeU{Z,,) \ (^) = -l} . 
If n is not a perfect square then |P„| — |iV„| — (f)(n)/2. 

Proof. Notice that we need only to prove that if n is not a perfect square, then 
Nn 0, since in this case Nn is just a coset of the subgroup P„ in [/(Z„). Let 
n = ■ ■ ■ Pr"' 1 Pi distinct primes. Without loss of generality we can suppose that 
ai is odd. Choose q £ U{Zp-^) such that q is not a quadratic residue modpi. Let x 
be any solution of 

( X = q modpi 
1 X = 1 mod P2 ■ ■ ■ Pr 
Clearly gcd(a;,n) = 1. Moreover 

in) (pi) i^pr) ^ 
that is, Nn 7^ 0. □ 

3. SPECIAL CARMICHAEL NUMBERS 

Definition 3.1. Let n be an odd composite number. We say that n is a special 
Carmichael number if = Imodn for all a G ?7(Z„). 

Following Korselt, we have the characterization below: 

Proposition 3.2. n is a special Carmichael number if and only if n is odd, square- 
free and {p — \) I ^^^Y^ for every prime p such that p\n. 

Proof. Just a minor modification of Korselt 's proof is needed (see, for example, [H 
Proposition V.I.2]). □ 

Remark 3.3. It is clear that special Carmichael numbers are Carmichael numbers. 
As explained in [5J Exercise 3.24] the proof of the infinitude of Carmichael numbers 
(see [T]) actually implies that there are infinitely many special Carmichael num- 
bers. The least example is the famous "taxicab" number 1729, dear to Hardy and 
Ramanujan. The first elements of the sequence of special Carmichael numbers are 
1729, 2465, 15841, 41041, 46657, 75361, 162401, 172081, 399001, 449065, 488881, . . .. 
It is also clear from Proposition 13.21 that every special Carmichael number must be 
= 1 mod 4. 

We are now ready to prove our main result. 

Proposition 3.4. Let n be an odd composite number. Then n is an Euler pseu- 
doprime for exactly one half of the bases in U{'Ln) if and only if n is a special 
Carmichael number. 

Proof. If n is a special Carmichael number then, in particular, n is a Carmichael 
number and thus n is square- free. Therefore, by Lemma l2.4l n is an Euler pseudo- 
prime for half of the bases in U{Zn), namely for all a S C/(Z„) such that (^) = 1. 

Conversely, suppose that n is an Euler pseudoprime for exactly one half of the 
bases in [/(Z„). Then by hypothesis a^T~ = itlmodn for at least one half of the 
admissible bases and therefore, in particular, n is a Carmichael number by Lemma 
12.21 thus n ^ pi ■ ■ - pr, Pi distinct primes, r > 3. By 'T, Exercise 3.24] and Remark 
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12.31 either a 2 = Imodn for every a £ U{'Ln) or a 2 = Imodn for exactly one 
half of the admissible bases (while a~2- ^ ±1 raodn for the other half). We must 
rule out the latter case. 

By hypothesis and by Lemma [2.41 (■^) = 1 for all a e U{Zn) such that = 

1 modn, while (^) = —1 for all a e U{Zn) such that ^ 1 modn. We will now 
exhibit x G C/(Z„) such that ^ 1 but (^) = 1, a contradiction. 

Let b £ C/(Z„) such that ^ 1. In particular, there exists a prime factor p 
of n, say pi, such that ^ Imodpi. Let g be a generator of J7(ZpJ, so that 

^ Imodpi. Let g' be a generator of {/(Zp^). Let a; be the unique solution 
mod n of the system 

X = g modpi 
X = g' modp2 
X = 1 mod P3 ■ ■ - pr 

We see immediately that ^ 1 modrt and 

Remark 3.5. As Pomerance kindly pointed out to the author, Proposition [33] can 
also be proved by a careful consideration of all the cases in Monier's formula for 
the number of liars to the Solovay-Strassen test (see [51 Proposition 3] and [3]). 
Actually Monier, in [6j, also observes that odd composite numbers achieving the 
bound in ([1} are Carmichael numbers, but he does not make calculations explicit 
and misses to give a complete characterization (although he was probably aware 
of the gist of Proposition 13. 4p . It is also worth remarking that Monier, in [6], 
additionally gives a formula for the number of liars to the Miller-Rabin test. This 
formula can be used to give a complete characterization of odd composite numbers 
n achieving the bound (f){n)/A for strong pseudoprimes: see [6] and [91 Equation 1.5 
and §5]. 

□ 
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